Independent Submission H. Hotz
Request for Comments: 6717 Jet Propulsion Lab, Caltech
Category: Informational R. Allbery
ISSN: 2070-1721 Stanford University
August 2012
kx509 Kerberized Certificate Issuance Protocol in Use in 2012
Abstract
This document describes a protocol, called kx509, for using Kerberos
tickets to acquire X.509 certificates. These certificates may be
used for many of the same purposes as X.509 certificates acquired by
other means, but if a Kerberos infrastructure already exists, then
the overhead of using kx509 may be much less.
While not standardized, this protocol is already in use at several
large organizations, and certificates issued with this protocol are
recognized by the International Grid Trust Federation.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6717.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Hotz & Allbery Informational [Page 1]RFC 6717 kx509 August 2012Table of Contents
1. Introduction ....................................................2
1.1. Requirements Language ......................................3
2. Protocol Data ...................................................3
2.1. Request Packet .............................................3
2.2. Reply Packet ...............................................4
3. Protocol Operation ..............................................7
4. Acknowledgements ................................................8
5. IANA Considerations .............................................8
6. Security Considerations .........................................9
7. References .....................................................10
7.1. Normative References ......................................10
7.2. Informative References ....................................10
Appendix A. Certificate Caching and Deployment Considerations ....12
Appendix B. Historic Extensions ..................................12
Appendix C. Example Exchange .....................................12
1. Introduction
The two primary ways of providing cryptographically secure
identification on the Internet are Kerberos tickets [RFC4120] and
X.509 [RFC5280] [X.509] certificates.
In practical IT infrastructure where both are in use, it's highly
desirable to deploy their support in a way that guarantees they both
authoritatively refer to the same entities. There is already a
widely adopted standard for using X.509 certificates to acquire
corresponding Kerberos tickets called Public Key Cryptography for
Initial Authentication in Kerberos (PKINIT) [RFC4556]. This document
describes the kx509 protocol for supporting the symmetric operation
of acquiring X.509 certificates using Kerberos tickets.
Preparing and reviewing this document exposed a number of issues that
are discussed in the security considerations. Unfortunately, some of
them can only be addressed with an incompatible upgrade to this
protocol. The IETF's Kerberos working group has an expected work
item to address these issues.
The International Grid Trust Federation [IGTF] supports the use of
Short Lived Credential Services [SLCS] as a means to authenticate for
resource usage based on other, native identity stores that an
organization maintains. X.509 certificates issued using the kx509
protocol based on a Kerberos identity is one of the recognized
credential services. The certificate profile for that use is outside